Drive By Downloads: How To Avoid Getting A Cap Popped In Your App

The presentation

Which browser do you claim? What color is your screen-saver? It is a world wide hood out there, don’t let yourself become the next victim of a drive by… a drive by download.

Email attachments have become synonymous with computer viruses and consumers have become accustom to questioning the legitimacy of email touting male enhancement drugs and lottery winnings. This means hackers are having to come up with new ways to distribute malware. Today, just by loading an infected webpage of from a legitimate website, a virus can be downloaded without any other interaction and will often go undetected. Once the virus is on a PC, hackers can access the computer remotely and steal sensitive information like banking passwords, send out spam or install more malicious executables.

According to recent research….

Every 1.3 seconds a new web page is getting infected

As of Q3 2009, every month almost 2,000,000 web pages across more than 210,000 websites are infected with Malware. This is almost double the number of web pages reported for Q4 2008

• 77% of Web sites with malicious code are legitimate sites that have been compromised

The number of malicious sites has grown 671% from 2008-2009

57% of data-stealing attacks are conducted over the Web

Examples of major breaches include the Gumblar attack (Apr '09) with infected over 80,000 web servers in just a few weeks, and the Network Solutions attack (Apr '10) in which thousands of WordPress blogs were infected on a single hosting provider.

In this talk, we describe in technical detail the "anatomy of a modern web-based malware attack." Web-based malware attacks have evolved significantly over the past 4 years. We present the state-of-the-art in web-based malware attacks and describe how the techniques used have evolved over time.

Back in 2007, for instance, a typical drive-by attack would be characterized by single injections of malicious JavaScript or IFRAMES into a legitimate site, and dozens of processes would be dropped/started on infected clients. Such injections would be delivered mainly through web application layer attacks such as SQL injections and stored XSS attacks.

Today, attackers use many additional mechanisms to inject malicious code, and will conduct multiple injections into a single web page (each of which are innocuous), such that when combined and run together, only then will a drive-by-download occur. Such new, multi-DOM node injections foil first generation web-based malware scanners. In addition, attackers now only start an average of 2 to 3 processes instead of dozens, and have started increasing reliance on social engineering (such as fake anti-virus windows) to attempt to foil automated detection technologies.

Finally, there has been an uptick in malvertising and spear-phishing as methods of propagating drive-by-downloads, as was used in China-based attacks against Google and other Fortune 500 companies earlier this year. We provide concrete examples of each of these novel attacks and provide example mal-code from the wild illustrating the anatomy of modern web-based malware attacks.

Neil Daswani

Neil Daswani is a co-founder & CTO of Dasient, Inc., a security company
backed by some of the most influential investors in Silicon Valley and
New York. In the past, Neil has served in a variety of research,
development, teaching, and managerial roles at Google, Stanford
University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia
Technologies). While at Stanford, Neil co-founded the Stanford Center
Professional Development (SCPD) Security Certification Program
(http://proed.stanford.edu/?security). He has published extensively,
frequently gives talks at industry and academic conferences, and has
been granted several U.S. patents. He received a Ph.D. and a master's
in computer science from Stanford University, and earned a bachelor's
in computer science with honors with distinction from Columbia
University. Neil is also the lead author of "Foundations of Security:
What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g. More information about Neil is
available at http://www.neildaswani.com